The document discusses managing multi-cloud networking resources. It provides an overview of networking designs across different cloud providers like AWS, GCE, and CloudStack. It then summarizes RightScale's approach to providing unified abstractions for networking resources across multiple clouds. This includes creating common entities like networks, subnets, security groups, and handling inconsistent or missing resources through synthetic representations. The abstractions allow for consistent definition and management of infrastructure through a single API and user interface.
4. #4#4
#RightscaleCompute
Introduction
• Networking is messy…even in the Cloud!
• Different Cloud Providers pick different designs
• Leads to different exposed API resources, different behavior
• Also leads to different naming conventions, and APIs semantics
• Cloud software can also be heavily customized on installation
• So even for the same cloud type, two clouds can behave quite differently
• All of this changes very rapidly
• New versions of APIs, expose new resources
• Some changes break semantic compatibility or become defaults
6. #6#6
#RightscaleCompute
Introduction (contd.)
• But… mess and variability is not bad, it is necessary
• In fact, it is great!
• Companies need choice and configuration flexibility
• One size doesn’t fit all
• You must embrace it
• Take advantage of the features and characteristics that make sense for
you
• But not at the cost of loosing focus on your business
• So
• Instead of grooming an army of experts on cloud networking
• Let others do that for you so you don’t have to
“Maintain control, without having to be bogged down with non-business
details”
11. #11#11
#RightscaleCompute
Amazon EC2
• Each region can have multiple VPCs
• Each VPC defines a network isolation perimeter
• Incoming/Outgoing communication must go through GW
Amazon EC2VPCs
…
x
N
GW
12. #12#12
#RightscaleCompute
Amazon EC2
• Subnets further segment VPCs into IP CIDR groups
• Instances can be connected to a Subnet through an ENI
• A Subnet is scoped to a single Availability Zone
Amazon EC2
Subnets
Elastic Network
Interfaces
Subnet 1
Elastic Network
Interfaces
Subnet 2
Elastic Network
Interfaces
Subnet 3
VPCs
…
x
N
GW
13. #13#13
#RightscaleCompute
Amazon EC2
• A VPC also scopes (and therefore contains)
• SecurityGroups
• Routing Tables
• Network ACLs
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
Elastic Network
Interfaces
Subnet 1
Elastic Network
Interfaces
Subnet 2
Elastic Network
Interfaces
Subnet 3
VPCs
…
x
N
GW
14. #14#14
#RightscaleCompute
Amazon EC2
• Instances can be bound to multiple Subnets (of a matching AZ)
• The Security Groups are bound to each attached ENI
• And not to the Instance as a whole
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
Elastic Network
Interfaces
Subnet 1
Elastic Network
Interfaces
Subnet 2
Elastic Network
Interfaces
Subnet 3
VPCs
…
x
N
GW
16. #16#16
#RightscaleCompute
Amazon EC2 (Classic)
• There aren’t any Subnets, Routing Tables or Network ACLs
• Security Groups are scoped to the implicit single Network
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
SingleNetworkx1
NAT
17. #17#17
#RightscaleCompute
Amazon EC2 (Classic)
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
SingleNetworkx1
NAT
• There aren’t any subnets, routing tables or Network ACLs
• Security Groups are scoped to the implicit single Network
• And their rules apply to the Instance as a whole (only 1 implicit Interface)
18. #18#18
#RightscaleCompute
Google Compute Engine
• GCE cloud is global: there aren’t different regional endpoints
• Networks within the cloud define a network isolation perimeter
• Incoming/Outgoing communication must go through the GW
Amazon EC2Networks
…
x
N
GW
19. #19#19
#RightscaleCompute
Google Compute Engine
• A Network cannot be further segmented
• A Network has firewalls (some functionality is close to a SG)
• Routing controls are currently not exposed
Firewalls (SG-like)
Amazon EC2
Firewalls
Networks
…
x
N
Subnets
GW
Routing Tables
20. #20#20
#RightscaleCompute
Google Compute Engine
• A Network can span multiple Zones
• And Firewall rules can be applied to instances in a global way
Firewalls (SG-like)
Amazon EC2
Firewalls
Networks
…
x
N
Subnets
GW
Routing Tables
22. #22#22
#RightscaleCompute
CloudStack: Basic Mode
• Supports SecurityGroups
• But they belong to the “Domain” and apply to all uses of the shared network
Security Groups
Amazon EC2
Subnets
Routing Tables
Network ACLs
NAT
Networkx
N
23. #23#23
#RightscaleCompute
CloudStack: Basic Mode
• Instances within a Network are scoped to a Zone
• Each instance can have multiple SecurityGroups attached to it
Security Groups
Amazon EC2
Subnets
Routing Tables
Network ACLs
NAT
Networkx
N
25. #25#25
#RightscaleCompute
CloudStack: Advanced Mode
• There is no further segmentation based on Subnets
• Supports Firewalls (and SGs if the network is shared)
Amazon EC2
Firewalls
Networks
…
x
N
Subnets
GW
Security Groups
Routing Tables
* Except KVM
27. #27#27
#RightscaleCompute
CloudStack: Advanced Mode (VPC)
• A VPC is segmented by Tiers (still scoped to a Zone)
• No explicit Network interface support in API
Amazon EC2VPCs
…
x
N
Tiers
Elastic Network
Interfaces
Tier 1
Elastic Network
Interfaces
Tier 2
Elastic Network
Interfaces
Tier 3
GW
29. #29#29
#RightscaleCompute
CloudStack: Advanced Mode (VPC)
• Note: a CloudStack cloud can mix all 3 networking modes:
• Basic, Advanced and VPC
• The mode is set at the Zone level
Amazon EC2
Firewalls
VPCs
…
x
N
Security Groups Tiers
Elastic Network
Interfaces
Tier 1
Elastic Network
Interfaces
Tier 2
Elastic Network
Interfaces
Tier 3
GW
Routing Tables
32. #32#32
#RightscaleCompute
Multicloud Network Abstractions
• A Cloud has multiple Networks
• A Network defines an isolation perimeter (and has a CIDR block)
• Incoming/Outgoing communication must go through GWs
Amazon EC2Networks
…
x
N
GW
33. #33#33
#RightscaleCompute
Multicloud Network Abstractions
• Subnets further segment Networks into IP CIDR sub-blocks
• Instances can be connected to a Subnet through NetworkInterfaces
• A Subnet is scoped to one (or zero) Datacenters
Amazon EC2
Subnets
Network
Interfaces
Subnet 1
Network
Interfaces
Subnet 2
Network
Interfaces
Subnet 3
Networks
…
x
N
GW
35. #35#35
#RightscaleCompute
Multicloud Network Abstractions
• Instances are launched within a Datacenter (placement)
• Instances connected to multiple Subnets via Network Interfaces
(connectivity)
• Connectivity restrictions may apply based on the Cloud.
• SecurityGroups are bound to Network Interfaces (i.e, different rules per subnet)
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
Network
Interfaces
Subnet 1
Network
Interfaces
Subnet 2
Network
Interfaces
Subnet 3
Networks
…
x
N
GW
37. #37#37
#RightscaleCompute
Multicloud Network Abstractions
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
Network
Interfaces
Subnet 1
Network
Interfaces
Subnet 2
Network
Interfaces
Subnet 3
Networks
…
x
N
GW
VolumesImages +
Volume Snapshots
Datacenters
DC 1
DC 2
…
38. #38#38
#RightscaleCompute
Multicloud Network Abstractions
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
Network
Interfaces
Subnet 1
Network
Interfaces
Subnet 2
Network
Interfaces
Subnet 3
Networks
…
x
N
GW
VolumesImages +
Volume Snapshots
Datacenters
DC 1
DC 2
…
IP Addresses
(assignable)
IpAddress Bindings
Instance+[IP]+[ports]
39. #39#39
#RightscaleCompute
Managing Multicloud Resources
• Accessible both through our new UI and API
• It presents a single interface for your cloud Network
infrastructure
• Aggregates resources across regions, providers and software versions.
• Network/Security operators design and analyze from a single pane of
glass
• Infrastructure operators can manage those abstractions in deployments
• How will this look in the UI?...
46. #46#46
#RightscaleCompute
Managing Multicloud Resources: API
• RESTful API : multicloud as of version 1.5
• Creating a Network/Subnet
• New resources, very simple attributes (Name, CIDR…)
POST /api/networks
{
name : “Foobar App Network”,
cidr_block : “10.1.2.0/24”,
cloud_href : “/api/clouds/1234”,
tenancy : “default”
}
HTTP Code: 201 Created
Location: /api/networks/10
47. #47#47
#RightscaleCompute
Managing Multicloud Resources: API
• Creating a Server
• Can specify which Network it belongs to
• Can set the list of subnets it needs to be attached to (or default subnet)
• Alternatively, can specify which already existing Network Interfaces to
attach
POST /api/servers
{
name: “My Foobar Server”,
network_href : “/api/networks/10”,
subnet_hrefs : [ “/api/subnets/11”, “/api/subnets/12” ],
security_group_href : [ “/api/security_groups/6”, “/api/security_groups/7” ],
datacenter_href : “/api/datacenters/1”,
…cloud_settings, server_template, inputs …
}
HTTP Code: 201 Created
Location: “/api/servers/50”
48. #48#48
#RightscaleCompute
Managing Multicloud Resources: API
• IpAddressBinding resource also manage ports:
• Attaching an IP without port ranges maps all ports of the IP to the instance
• An IpAddress can be restricted to a port range (for clouds that support it)
POST /api/ip_address_bindings
{
instance_href : “/api/instances/1”,
public_ip_address_href : “/api/ip_addresses/2”,
protocol : “tcp”,
public_port : 80, *optional
private_port: 8080 *optional
}
HTTP Code: 201 Created
Location: /api/ip_address_bindings/9
49. #49#49
#RightscaleCompute
Managing Multicloud Resources: API
• Available soon:
• Networks
• Subnets
• SecurityGroups (bound to Networks an NetworkInterfaces)
• IpAddresses / Bindings (with the port forwarding abstractions)
• Routing tables and Network ACLs
• API and UI are being designed
• Implementation not started yet
• But expect being able to create/delete routes and rules soon
50. #50#50
#RightscaleCompute
Note on Synthetic Resources
• What about resources that are required but non-existent in
cloud?
• A server can be connected to subnets (and SecurityGroups through them)
• We will create (wrap) these resource synthetically for you
• So you can have consistency for clients using the API.
• Example: Subnets in Amazon EC2 classic
51. #51#51
#RightscaleCompute
Synthetic Resources for EC2 Classic
• EC2 classic doesn’t have subnets
• But you still want to create your servers using the same abstractions
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Subnets
SingleNetworkx1
NAT
52. #52#52
#RightscaleCompute
Synthetic Resources for EC2 Classic
• We will create a Synthetic Network to refer to the implicit classic EC2
Network
• We will create one Synthetic Subnet for each available Datacenter
• So you can specify the server configuration in a consistent manner
• Regardless of EC2 Classic, Amazon VPC, or any other clouds
Security Groups
Amazon EC2
Routing Tables
Network ACLs
Synthetic Subnets
SingleNetworkx1
NAT
Synthetic
Interface 1
Synth Subnet 1
Elastic Network
Interfaces
Synth Subnet 2
Elastic Network
Interfaces
Synth Subnet 3
53. #53#53
#RightscaleCompute
Summary
• Cloud Networking is messy and it varies greatly
• But choice and configurability is very important
• RightScale abstractions allow you to
• Operate and manage your Cloud networking from a single pane of glass
• Using higher level, easier abstractions
• While keeping the power to go down to the guts when needed
• Available through a both UI and API
• Portable across clouds, cloud providers and cloud versions
• Give it a try
• Manage your Networking more consistently, and at a higher level
• While still taking advantage of the cloud features that make sense for you
• But not at the cost of loosing focus on your business
• You don’t have to be a multicloud user to get the advantages…
In this talk I’m going to make the case that managing cloud networking is hardand show the preview of what we’ve been working on at RS that can help you with that complexity, even across cloud providers